diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c33b5e052aa0..ba8940c69b3d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -248,6 +248,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve validation checks for Azure configuration {issue}20369[20369] {pull}20389[20389] - Fix event.kind for system/syslog pipeline {issue}20365[20365] {pull}20390[20390] - Clone value when copy fields in processors to avoid crash. {issue}19206[19206] {pull}20500[20500] +- Fix event.type for zeek/ssl and duplicate event.category for zeek/connection {pull}20696[20696] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index a243e057420d..9cd654edd516 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -30,18 +30,14 @@ processors: - script: source: if (ctx.zeek.connection.local_resp) ctx.tags.add("local_resp"); if: ctx.zeek.connection.local_resp != null -- set: - field: source.ip - value: '{{source.address}}' - append: field: related.ip - value: '{{source.address}}' -- set: - field: destination.ip - value: '{{destination.address}}' + value: '{{source.ip}}' + if: ctx?.source?.ip != null - append: field: related.ip - value: '{{destination.address}}' + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - script: source: ctx.network.packets = ctx.source.packets + ctx.destination.packets ignore_failure: true @@ -101,12 +97,6 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true -- set: - field: event.kind - value: event -- append: - field: event.category - value: network - script: params: S0: diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 35a539b1493b..ccb28ef2f925 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -7,7 +7,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -66,7 +65,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -124,7 +122,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -180,7 +177,6 @@ "destination.ip": "198.51.100.249", "destination.packets": 0, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index e77cd5646f03..f0a837709dcf 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -15,6 +15,7 @@ processors: - append: field: related.ip value: '{{source.ip}}' + if: ctx?.source?.ip != null - geoip: field: source.ip target_field: source.geo @@ -37,6 +38,7 @@ processors: - append: field: related.ip value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index f1a1e527cfc2..5585d24327e7 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -23,6 +23,14 @@ processors: - lowercase: field: event.action ignore_missing: true +- append: + field: related.ip + value: '{{source.ip}}' + if: ctx?.source?.ip != null +- append: + field: related.ip + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json index fa386feb1ceb..c9397cc7b9f7 100644 --- a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json @@ -23,6 +23,10 @@ "network.community_id": "1:E57Z1w3RrSdR+fi6rSZblbQVhzY=", "network.protocol": "dnp3", "network.transport": "tcp", + "related.ip": [ + "127.0.0.1", + "127.0.0.1" + ], "service.type": "zeek", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index a64579359374..82d0306ea63a 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -179,7 +179,6 @@ processors: - {from: source.address, to: source.ip, type: ip} - {from: destination.address, to: destination.ip, type: ip} - {from: zeek.session_id, to: event.id} - - {from: '@timestamp', to: event.created} - {from: zeek.dns.trans_id, to: dns.id} - {from: zeek.dns.query, to: dns.question.name} - {from: zeek.dns.qtype_name, to: dns.question.type} @@ -197,18 +196,12 @@ processors: {{ if .community_id }} - community_id: {{ end }} - - timestamp: - ignore_missing: true - field: zeek.dns.ts - layouts: - - UNIX - drop_fields: ignore_missing: true fields: - zeek.dns.Z - zeek.dns.auth - zeek.dns.addl - - zeek.dns.ts - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index 77ea898c66bb..6d9ed369ea89 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -5,6 +5,15 @@ processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.dns.ts + formats: + - UNIX + - remove: + field: zeek.dns.ts # IP Geolocation Lookup - geoip: diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 9293393192f5..4d35472f3ead 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -14,10 +14,6 @@ processors: - decode_json_fields: fields: [event.original] target: zeek.intel - - timestamp: - field: zeek.intel.ts - layouts: [UNIX] - test: "1573030980.989353" - convert: ignore_missing: true fields: @@ -57,7 +53,6 @@ processors: - drop_fields: ignore_missing: true fields: - - zeek.intel.ts - zeek.intel.id.orig_h - zeek.intel.id.orig_p - zeek.intel.id.resp_h diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index c6e64e016b85..f70094311318 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -7,7 +7,12 @@ processors: - set: field: event.created value: '{{@timestamp}}' - + - date: + field: zeek.intel.ts + formats: + - UNIX + - remove: + field: zeek.intel.ts # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index 210d97710239..e64c5ec9eb33 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -71,11 +71,11 @@ processors: field: event.type value: error if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" -- append: +- set: field: event.outcome value: success if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status == 'succeeded'" -- append: +- set: field: event.outcome value: failure if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" diff --git a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json index c8172d23d1aa..0a45d16a5690 100644 --- a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json @@ -11,9 +11,7 @@ "event.id": "Cmz4Cb4qCw1hGqYw1c", "event.kind": "event", "event.module": "zeek", - "event.outcome": [ - "success" - ], + "event.outcome": "success", "event.type": [ "connection", "protocol" diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index e140ba94e2c3..00398bf2b580 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -72,7 +72,7 @@ processors: kind: event category: - network - kind: + type: - connection - protocol {{ if .community_id }} diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index c40801f4243f..4f5fd4851bc0 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -65,7 +65,7 @@ processors: - kv: field: zeek.ssl.issuer field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.server.issuer ignore_missing: true - rename: @@ -104,7 +104,7 @@ processors: - kv: field: zeek.ssl.subject field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.server.subject ignore_missing: true - remove: @@ -142,7 +142,7 @@ processors: - kv: field: zeek.ssl.client_issuer field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.client.issuer ignore_missing: true - rename: @@ -181,7 +181,7 @@ processors: - kv: field: zeek.ssl.client_subject field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.client.subject ignore_missing: true - remove: diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 526a43a350b8..2897b7df9f29 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -19,11 +19,12 @@ ], "event.dataset": "zeek.ssl", "event.id": "CAOvs1BMFCX2Eh0Y3", - "event.kind": [ + "event.kind": "event", + "event.module": "zeek", + "event.type": [ "connection", "protocol" ], - "event.module": "zeek", "fileset.name": "ssl", "input.type": "log", "log.offset": 0, @@ -90,11 +91,12 @@ ], "event.dataset": "zeek.ssl", "event.id": "C3mki91FnnNtm0u1ok", - "event.kind": [ + "event.kind": "event", + "event.module": "zeek", + "event.type": [ "connection", "protocol" ], - "event.module": "zeek", "fileset.name": "ssl", "input.type": "log", "log.offset": 635, diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json deleted file mode 100644 index aeb1dbf36fba..000000000000 --- a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json +++ /dev/null @@ -1,237 +0,0 @@ -{ - "description": "Pipeline for normalizing Zeek x509.log", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{_ingest.timestamp}}" - } - }, - { - "set": { - "field": "event.created", - "value": "{{@timestamp}}" - } - }, - { - "date": { - "field": "zeek.x509.ts", - "formats": ["UNIX"] - } - }, - { - "remove": { - "field": "zeek.x509.ts" - } - }, - { - "set": { - "field": "event.id", - "value": "{{zeek.session_id}}", - "if": "ctx.zeek.session_id != null" - } - }, - { - "dot_expander": { - "field": "certificate.exponent", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "certificate.serial", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "certificate.version", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.dns", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.uri", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.email", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.ip", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.other_fields", - "path": "zeek.x509" - } - }, - { - "date": { - "field": "zeek.x509.certificate.valid.from", - "target_field": "zeek.x509.certificate.valid.from", - "formats": ["UNIX"], - "if": "ctx.zeek.x509.certificate?.valid?.from != null" - } - }, - { - "date": { - "field": "zeek.x509.certificate.valid.until", - "target_field": "zeek.x509.certificate.valid.until", - "formats": ["UNIX"], - "if": "ctx.zeek.x509.certificate?.valid?.until != null" - } - }, - - { - "gsub": { - "field": "zeek.x509.certificate.iss", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.x509.certificate.iss", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.x509.certificate.issuer", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.x509.certificate.iss", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.C", - "target_field": "zeek.x509.certificate.issuer.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.CN", - "target_field": "zeek.x509.certificate.issuer.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.L", - "target_field": "zeek.x509.certificate.issuer.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.O", - "target_field": "zeek.x509.certificate.issuer.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.OU", - "target_field": "zeek.x509.certificate.issuer.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.ST", - "target_field": "zeek.x509.certificate.issuer.state", - "ignore_missing": true - } - }, - - { - "gsub": { - "field": "zeek.x509.certificate.sub", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.x509.certificate.sub", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.x509.certificate.subject", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.x509.certificate.sub", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.C", - "target_field": "zeek.x509.certificate.subject.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.CN", - "target_field": "zeek.x509.certificate.subject.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.L", - "target_field": "zeek.x509.certificate.subject.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.O", - "target_field": "zeek.x509.certificate.subject.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.OU", - "target_field": "zeek.x509.certificate.subject.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.ST", - "target_field": "zeek.x509.certificate.subject.state", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml new file mode 100644 index 000000000000..060db4179c10 --- /dev/null +++ b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -0,0 +1,135 @@ +--- +description: Pipeline for normalizing Zeek x509.log +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.x509.ts + formats: + - UNIX + - remove: + field: zeek.x509.ts + - set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null + - dot_expander: + field: certificate.exponent + path: zeek.x509 + - dot_expander: + field: certificate.serial + path: zeek.x509 + - dot_expander: + field: certificate.version + path: zeek.x509 + - dot_expander: + field: san.dns + path: zeek.x509 + - dot_expander: + field: san.uri + path: zeek.x509 + - dot_expander: + field: san.email + path: zeek.x509 + - dot_expander: + field: san.ip + path: zeek.x509 + - dot_expander: + field: san.other_fields + path: zeek.x509 + - date: + field: zeek.x509.certificate.valid.from + target_field: zeek.x509.certificate.valid.from + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.from != null + - date: + field: zeek.x509.certificate.valid.until + target_field: zeek.x509.certificate.valid.until + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.until != null + - gsub: + field: zeek.x509.certificate.iss + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.iss + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.issuer + ignore_missing: true + - remove: + field: zeek.x509.certificate.iss + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.C + target_field: zeek.x509.certificate.issuer.country + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.CN + target_field: zeek.x509.certificate.issuer.common_name + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.L + target_field: zeek.x509.certificate.issuer.locality + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.O + target_field: zeek.x509.certificate.issuer.organization + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.OU + target_field: zeek.x509.certificate.issuer.organizational_unit + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.ST + target_field: zeek.x509.certificate.issuer.state + ignore_missing: true + - gsub: + field: zeek.x509.certificate.sub + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.sub + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.subject + ignore_missing: true + - remove: + field: zeek.x509.certificate.sub + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.C + target_field: zeek.x509.certificate.subject.country + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.CN + target_field: zeek.x509.certificate.subject.common_name + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.L + target_field: zeek.x509.certificate.subject.locality + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.O + target_field: zeek.x509.certificate.subject.organization + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.OU + target_field: zeek.x509.certificate.subject.organizational_unit + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.ST + target_field: zeek.x509.certificate.subject.state + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zeek/x509/manifest.yml b/x-pack/filebeat/module/zeek/x509/manifest.yml index 5d3747af787d..674610886fcf 100644 --- a/x-pack/filebeat/module/zeek/x509/manifest.yml +++ b/x-pack/filebeat/module/zeek/x509/manifest.yml @@ -13,5 +13,5 @@ var: - name: community_id default: true -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/x509.yml